Does Splunk Support ShA-256 or SHA -1?

allamiro — Mon, 08 Apr 2013 14:27:51 GMT

Does Splunk Support ShA-256 or is it backwards compatible with SHA -1?

Re: Does Splunk Support ShA-256 or SHA -1?

Ayn — Mon, 08 Apr 2013 16:59:02 GMT

Support SHA-256/SHA-1 for what?

Re: Does Splunk Support ShA-256 or SHA -1?

jasonchangbompa — Mon, 28 Sep 2020 16:05:56 GMT

Basically. Splunk index data is encrypted as SHA-256

audit.conf

EVENT HASHING: turn on SHA256 event hashing.

[eventHashing]
* This stanza turns on event hashing -- every event is SHA256 hashed.
* The indexer will encrypt all the signatures in a block.
* Follow this stanza name with any number of the following attribute/value pairs.
filters=mywhitelist,myblacklist...
* (Optional) Filter which events are hashed.
* Specify filtername values to apply to events.
* NOTE: The order of precedence is left to right. Two special filters are provided
by default:
blacklist_all and whitelist_all, use them to terminate the list of your filters. For example
if your list contains only whitelists, then terminating it with blacklist_all will result in
signing of only events that match any of the whitelists. The default implicit filter list
terminator is whitelist_all.

====================================================================
In Version 6.0.2, you can set SHA-256 in authentication.conf for user password.

[authentication]
* Follow this stanza name with any number of the following attribute/value pairs.

authType = [Splunk|LDAP|Scripted]
* Specify which authentication system to use.
* Supported values: Splunk, LDAP, Scripted.
* Defaults to Splunk.

authSettings = ,,...
* Key to look up the specific configurations of chosen authentication system.
* is the name of a stanza header that specifies attributes for an LDAP strategy
or for scripted authentication. Those stanzas are defined below.
* For LDAP, specify the LDAP strategy name(s) here. If you want Splunk to query multiple LDAP servers,
enter a comma-separated list of all strategies. Each strategy must be defined in its own stanza. The order in
which you specify the strategy names will be the order Splunk uses to query their servers when looking for a user.
* For scripted authentication, should be a single stanza name.

passwordHashAlgorithm = [SHA512-crypt|SHA256-crypt|SHA512-crypt-|SHA256-crypt-|MD5-crypt]
* For the default "Splunk" authType, this controls how hashed passwords are stored in the $SPLUNK_HOME/etc/passwd file.
* "MD5-crypt" is an algorithm originally developed for FreeBSD in the early 1990's which became a widely used
standard among UNIX machines. It was also used by Splunk up through the 5.0.x releases. MD5-crypt runs the
salted password through a sequence of 1000 MD5 operations.
* "SHA256-crypt" and "SHA512-crypt" are newer versions that use 5000 rounds of the SHA256 or SHA512 hash
functions. This is slower than MD5-crypt and therefore more resistant to dictionary attacks. SHA512-crypt
is used for system passwords on many versions of Linux.
* These SHA-based algorithm can optionally be followed by a number of rounds to use. For example,
"SHA512-crypt-10000" will use twice as many rounds of hashing as the default implementation. The
number of rounds must be at least 1000.
* This setting only affects new password settings (either when a user is added or a user's password
is changed) Existing passwords will continue to work but retain their previous hashing algorithm.
* The default is "SHA512-crypt".

topic Does Splunk Support ShA-256 or SHA -1? in Security

Does Splunk Support ShA-256 or SHA -1?

Re: Does Splunk Support ShA-256 or SHA -1?

Re: Does Splunk Support ShA-256 or SHA -1?

EVENT HASHING: turn on SHA256 event hashing.